20. Connect
OpenID
Signed Request
• Works only with
a single identity
provider
• Proprietary
signature format
ID Token
• Works with
multiple identity
providers
• IETF JSON Web
Signature
23. Connect
OpenID
An Identity Layer provides:
• is the user that got authenticated
Who
• was he authenticated
Where
• was he authenticated
When
• was he authenticated
How
• attributes he can give you
What
• he is providing them
Why
29. Connect
OpenID
Interoperable
• openid, profile, email, address, phone
Standard scopes
• Request object and claims
Method to ask for
more granular claims
• Info about the authenticated user
ID Token
• Get attributes about the user
• Translate the tokens
UserInfo endpoint
30. Connect
OpenID
Simple & Mobile Friendly
JSON Based
REST Friendly
In simplest cases,
just copy and paste
Mobile & App
Friendly
e.g., ID Token is signed JSON
{
"iss": "https://client.example.com",
”sub": "24400320",
"aud": "s6BhdRkqt3",
"nonce": "n-0S6_WzA2Mj",
"exp": 1311281970,
"iat": 1311280970,
"auth_time": 1311280969,
"acr": "2",
"at_hash":
"MTIzNDU2Nzg5MDEyMzQ1Ng"
}
32. Connect
OpenID
Flexible
• Through Request Object (JSON)
• Data Minimization
Granular
Request
• Does not disclose data recipients
to data sources
Aggregated
Claims
• Decentralized Data Storage
Distributed
Claims
33. Connect
OpenID
Choice of your provider
Can be Google,
eBay, AOL,
Deutsche
Telecom etc.
Can be your
Phone =>
Self-Issued
Provider
35. Connect
OpenID
Name: Alice de
Wonderland
Mail: alice@example.com
Notary: Google.
Official
Google
Seal
株式会
社グー
グル印
Name: Alice de
Wonderland
Mail: alice@example.com
Notary: Google.
SAML Authentication
1. Who are you. Get me
a referral letter.
Do not forget about
Your email!
2. Plz write me a
referral letter。
3. Here you are
Alice
4. Here is the
certificate.
notary
Eve
Official
Google
Seal
36. Connect
OpenID
1. Who are YOU? Give me
a valet key to your house.
Then I will trust that
you are the owner of the house.
2. Can you give me
a valet key to my house?
3. Here you are!
Alice
4. Her is the key!
Pseudo-Authentication using OAuth
Apartment
Controller
Eve
37. Connect
OpenID
OpenID Connect Authentication
1. Who are you. Get me
a referral letter.
Do not forget about
Your email!
2. Give Eve the locker
Key and a referral
letter.
3. Here you are!
Alice
4. Here you are
Date:2011/5/15 11:00:04
Level of Assurance:2
Verifier:Google
Official
Google
Seal
Butler
Locker
Locker
Eve
Date:2011/5/15 11:00:04
Level of Assurance:2
Verifier:Google
Official
Google
Seal
38. Connect
OpenID
OpenID Connect's Clams aggregation and
distributed claims.
Name: Alice de Wanderland
DoB: 1989/3/3
Sex: F
Address: 135 Broadway., NY,
NY
NY City
Official
Seal
Locker
UserInfo Endpoint
Site X
Site Y
Site Z
Eve
50. Connect
OpenID
SCIM Enterprise User Schema Extension
• employeeNumber
– Numeric or alphanumeric identifier assigned to a person, typically
based on order of hire or association with an organization.
• costCenter
– Identifies the name of a cost center. organization Identifies the name
of an organization.
• division
– Identifies the name of a division.
• department
– Identifies the name of a department.
• manager
– The User's manager. A complex type that optionally allows Service
Providers to represent organizational hierarchy by referencing the "id"
attribute of another User.
59. Connect
OpenID
Working Group Members
• Key working group participants:
– Nat Sakimura – Nomura Research Institute – Japan
– John Bradley – Ping Identity – Chile
– Breno de Medeiros – Google – US
– Axel Nennker – Deutsche Telekom – Germany
– Torsten Lodderstedt – Deutsche Telekom – Germany
– Roland Hedberg – Umeå University – Sweden
– Andreas Åkre Solberg – UNINETT – Norway
– Chuck Mortimore – Salesforce – US
– Brian Campbell – Ping Identity – US
– George Fletcher – AOL – US
– Justin Richer – Mitre – US
– Nov Matake – Independent – Japan
– Mike Jones – Microsoft – US
• By no means an exhaustive list!
62. Connect
OpenID
How We Make It Simple
• Build on OAuth 2.0
• Use JavaScript Object Notation (JSON)
• Build only the pieces that you need
• Goal: Easy implementation on all modern
development platforms
64. Connect
OpenID
A Look Under the Covers
• ID Token
• Claims Requests
• UserInfo Claims
• Example Protocol Messages
65. Connect
OpenID
OpenID Connect Authentication
1. Who are you. Get me
a referral letter.
Do not forget about
Your email!
2. Give Eve the locker
Key and a referral
letter.
3. Here you are!
Alice
4. Here you are
Date:2011/5/15 11:00:04
Level of Assurance:2
Verifier:Google
Official
Google
Seal
Butler
Locker
Locker
Bob
Date:2011/5/15 11:00:04
Level of Assurance:2
Verifier:Google
Official
Google
Seal
Access Token
ID Token
66. Connect
OpenID
ID Token
• JWT representing logged-in session
• Claims:
– iss – Issuer
– sub – Identifier for subject (user)
– aud – Audience for ID Token
– iat – Time token was issued
– exp – Expiration time
– nonce – Mitigates replay attacks
– at_hash – Left hash of the access token
– azp – Authorized Party
70. Connect
OpenID
Using Access Token only for Authentication is
Dangerous.
1. Who are you. Get me
a referral letter.
Do not forget about
Your email!
2. Give Eve the locker
Key and a referral
letter.
3. Here you are!
Alice
4. Here you are
Butler
Access Token
Eve
71. Connect
OpenID
OpenID Connect's Clams aggregation and
distributed claims.
Name: Alice de Wanderland
DoB: 1989/3/3
Sex: F
Address: 135 Broadway., NY,
NY
NY City
Official
Seal
Locker
UserInfo Endpoint
Site X
Site Y
Site Z
Bob
81. Connect
OpenID
Resources
• OpenID Connect
– http://openid.net/connect/
• OpenID Connect Working Group Mailing List
– http://lists.openid.net/mailman/listinfo/openid-specs-ab
• OpenID Connect Interop Wiki
– http://osis.idcommons.net/
• OpenID Connect Interop Mailing List
– http://groups.google.com/group/openid-connect-interop
• Mike Jones’ Blog
– http://self-issued.info/
• Nat Sakimura’s Blog
– http://nat.sakimura.org/
• John Bradley’s Blog
– http://www.thread-safe.com/
82. Connect
OpenID
Current Status
• Waiting for dependencies to be completed
• JWS, JWE, JWA, JWK
IETF JOSE
WG
• JSON Web Token (JWT)
IETF OAuth
WG
• WebFinger
IETF Apps
WG